This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Getting double login request with HTTPS switch

Dec 28th, 2005, 12:28 PM

I've got a website that I'm trying to secure with Acegi 1.0.0-RC1 and I'm having a problem where the user is forced to log in twice. It appears to be related to Channel Security because if I disable that, the problem goes away. My goal is to have the login process secured via HTTPS, but return to HTTP after login.

Here's the scenario to reproduce the problem:

1) User requests the home page /index.jsp (HTTP)
2) User clicks Login to go to /login.jsp, which is secure (HTTPS), but not restricted by role
3) User enters their username and password and submits the login form:
<form action="/myWebapp/j_acegi_security_check" method="POST" >
4) A successful login sends them to /redirect.jsp (HTTP or HTTPS).
5) /redirect.jsp redirects them using a Meta Refresh to /secure/index.jsp (HTTP mandatory).

That is a successful path, which users get the first time. I added the rediret.jsp step because if I configure Acegi to go straight to /secure/index.jsp, I get an IE warning about redirection to an insecure URL.

Here's the problem. If I restart the webapp context or the user's session expires and then repeat the steps above, step 5) fails to redirect me to /secure/index.jsp and instead I receive the login screen again. If I again present the right credentials, I go straight to the /secure/index.jsp, skipping the /redirect.jsp.

Looking in the debug output, it appears that I log in successfully, but Acegi somehow forgets that I'm logged in. It may be related to HTTP vs HTTPS cookies, I'm not sure. Here's the relevant snippet of the log that appears after the first login attempt: